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Research  Accomplishments 

Under  the  auspices  of  this  AFOSR  funding,  research  was  performed  on  a 
variety  of  topics  related  to  the  implementation  of  fault-tolerant  and  secure 
systems,  with  emphasis  on  systems  that  are  extensible  and/or  that  employ 
mobile  code.  The  research  involved  theoretical  as  well  as  practical  compo¬ 
nents  and  led  to  32  publications  (listed  at  the  end  of  this  report) ,  including 
two  books,  and  two  patents. 

Agent  Integrity 

Agents  comprising  an  application  must  not  only  survive  (possibly  malicious) 
failures  of  the  hosts  they  visit,  but  they  must  also  be  resilient  to  hostile  ac¬ 
tions  by  other  hosts.  Replication  and  voting  enable  an  application  to  survive 
some  failures  of  the  hosts  it  visits.  Hosts  that  are  not  visited  by  agents  of  the 
application,  however,  can  masquerade  and  confound  a  replication  scheme. 
Two  classes  of  protocols  to  solve  these  agent  integrity  problems  were  initially 
developed  as  part  of  this  AFOSR  project.  One  class  uses  chained  crypto¬ 
graphic  certificates;  the  second  class  uses  cryptographic  signature-sharing. 
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We  were  then  able  to  unify  these  protocols  by  viewing  them  in  terms  of  del¬ 
egation.  In  each,  the  principals  are  sets  of  hosts  (services)  and  authorization 
is  transferred  from  one  principal  to  another. 

In  some  settings,  hosts  being  visited  by  agents  cannot  be  replicated,  so 
the  preceding  protocols  do  not  apply.  This  led  us  to  investigate  protocols  for 
agent  fault-tolerance  without  host  replication.1  With  these  NAP  protocols, 
execution  of  an  agent  A  on  a  host  is  monitored  by  agents  (napping)  on  other 
hosts.  If  the  failure  of  A  or  of  the  host  on  which  A  executes  is  detected,  then 
one  of  the  napping  agents  performs  a  recovery  action.  This  recovery  action 
might  involve  retrying  A,  dispatching  a  different  agent  to  some  other  host, 
or  alerting  the  computation’s  initiator  of  a  problem.  NAP  is  not  resilient  to 
hostile  host  failures,  but  without  using  replication  no  scheme  can  be. 

The  difficult  part  of  implementing  NAP  involves  coordinating  the  nap¬ 
ping  agents.  A  protocol  that  tolerates  multiple  failures  must  have  multiple 
agents  napping,  each  monitoring  execution.  A  coordination  protocol  is  re¬ 
quired  to  ensure  that  more  than  one  napping  agents  does  not  detect  and  try 
to  restart  a  failed  agent.  Our  initial  solutions  to  the  coordination  problem 
were  complex  enough  that  their  correctness  was  suspect.  This  led  us  to  show 
that  the  problem  was  actually  an  instance  of  the  (fail-stop)  reliable  broad¬ 
cast  problem  that  we  solved  in  1983.  And,  by  refining  our  1983  protocol, 
we  were  able  to  support  a  broad  class  of  strategies  for  how  napping  agents 
are  disbursed  in  the  network.  This  broader  class  of  strategies  allows  our 
protocols  also  to  work  when  the  trajectory  of  an  agent  folds  back  on  itself, 
visiting  a  host  that  is  still  running  a  napping  agent. 

Enforceable  Security  Policies 

A  security  policy  defines  executions  that,  for  one  reason  or  another,  have 
been  deemed  unacceptable.  To  date,  application-independent  security  policies — 
like  mandatory  and  discretionary  access  control,  information  flow  restric¬ 
tions,  and  resource  availability — have  attracted  most  of  the  attention.  But 
with  the  expanding  role  of  computers  in  our  infrastructure,  specialized,  ap¬ 
plication-dependent  security  policies  are  becoming  increasingly  important. 

For  example,  a  system  to  support  mobile  code  might  prevent  information 
leakage  by  enforcing  a  security  policy  that  bars  messages  from  being  sent 
after  files  are  read.  To  support  electronic  commerce,  a  security  policy  might 
prohibit  executions  in  which  a.  customer  pays  for  a  service  but  the  seller  does 
not  provide  that  service. 

xThis  work  is  joint  with  Dag  Johansen  at  the  University  of  Tromsoe  (Norway)  and 
Keith  Marzullo  at  the  Univ  of  California,  San  Diego. 
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Over  the  period  of  this  grant,  we  developed  a  mathematical  character¬ 
ization  of  what  security  policies  are  enforceable.  First,  we  proved  that  en¬ 
forcement  mechanisms  cannot  exist  for  security  policies  that  are  not  safety 
properties.  Second,  we  developed  a  new  class  of  enforcement  mechanisms 
and  proved  that  it  is  complete  for  the  set  of  all  enforceable  security  poli¬ 
cies,  which  turns  out  to  be  the  set  of  safety  properties.  Our  new  class  of 
mechanisms  is  based  on  security  automata ,  automata  that  accept  finite  and 
infinite  sequences. 

A  security  automaton  serves  as  an  enforcement  mechanism  for  some 
target  system  by  monitoring  and  controlling  the  execution  of  that  system. 
Each  action  or  new  state  corresponding  to  a  next  step  that  the  target  system 
takes  is  sent  to  the  security  automaton  and  serves  as  the  next  symbol  of 
that  automaton’s  input.  If  the  automaton  cannot  make  a  transition  on  an 
input  symbol,  then  the  target  system  is  about  to  violate  the  security  policy 
specified  by  the  automation,  and  the  target  system  is  terminated. 

We  demonstrated  the  practicality  of  enforcing  security  policies  expressed 
using  security  automata  by  constructing  and  evaluating  tools  to  generate 
inlined  reference  monitors  that  implement  security  automata  for  both  the 
Java  Virtual  Machine  and  Intel  x86  machines.  The  first  prototype  (SASI) 
worked  for  programs  written  or  compiled  into  Java  virtual  machine  code 
(JVML)  or  Intel’s  x86  machine  code;  a  second  generation  (PoET/PSLang) 
refined  the  approach  for  JVML.  Specifically,  given  a  security  automaton  SA 
that  expresses  a  security  policy  and  given  a  machine  language  program  P, 
both  SASI  and  PoET/PSLang  add  checks  to  P  that  are  necessary  in  order 
to  ensure  that  executing  P  is  guaranteed  not  to  violate  the  security  policy 
defined  by  SA.  In  addition,  using  standard  compiler  analyses,  our  prototypes 
attempt  to  minimize  the  number  of  checks  inserted. 

Using  SASI,  we  experimented  with  generalizations  of  two  well  known  se¬ 
curity  policies:  software  fault  isolation  (SFI)  and  the  Java  Standard  Security 
Manager.  Our  experiments  confirmed  that  SASI  generates  code  comparable 
with  hand-coded,  heavily  optimized  SFI  tools  for  the  x86,  and  in  fact  ex¬ 
ceeds  the  performance  of  the  hand-coded  Java  Standard  Security  Manager. 
Furthermore,  security  automaton  specifications  of  the  security  policies  have 
proven  to  be  easy  to  write,  understand,  and  modify.  Using  PoET/PSLang, 
we  showed  how  to  support  the  Java  2  “stack  inspection”  security  policy 
without  any  support  from  the  Java  virtual  machine.  This,  for  example,  al¬ 
lows  Java  2  programs  to  be  executed  on  previous  generations  of  the  Java 
run-time  system;  it  also  allows  deployment  of  variations  and  refinements  of 
the  Java  security  policy. 
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Inter-agent  and  Host  Security 

Not  only  must  agents  be  protected  from  attack  by  hosts,  but  hosts  and  agents 
must  be  protected  from  attack  by  other  agents.  Traditional  approaches  to 
ensuring  host  and  inter-agent  security  employ  a  reference  monitor  or  inter¬ 
preter  to  execute  operations  on  behalf  of  untrusted  agents.  However,  the 
run-time  costs  of  this  can  be  prohibitive.  We  therefore  investigated  an  al¬ 
ternative  approach  based  on  proof  carrying  code  (PCC).  In  the  general  PCC 
framework,  each  agent  comprises  raw  machine  code  and  a  formal  proof  that 
the  code  will  not  violate  the  security  policy  of  interest.  Before  executing 
an  agent,  a  host  checks  the  proof.  To  make  the  system  practical,  we  con¬ 
centrated  on  type  safety  as  the  security  policy  and  constructed  a  compiler 
that  automatically  produces  native  code  and  a  proof  of  type  safe  from  a 
high-level,  strongly-typed  language.  When  the  type  system  is  sufficiently 
powerful  to  encode  the  security  policy,  no  run-time  cost  is  incurred;  and 
when  the  type  system  is  too  weak,  run-time  checks  are  inserted  in  the  code, 
but  the  type  system  ensures  that  the  checks  cannot  be  bypassed. 

The  first  step  was  to  design  a  strongly  typed  assembly  language  (TAL) 
suitable  for  use  as  a  target  language  for  programming  agents.  The  type 
system  for  this  assembly  language  is  powerful  enough  to  ensure  that  a  wide 
variety  of  safety  properties  are  satisfied.  For  example,  if  a  host  provides 
an  interface  for  the  abstract  type  file  descriptors  along  with  operations  for 
creating  and  manipulating  file  descriptors,  then  type  correct  program  agents 
cannot  forge  file  descriptors  nor  can  they  apply  any  operations  to  file  de¬ 
scriptors  except  those  exported  by  the  host. 

Many  high-level  languages,  such  as  Java  and  SML,  provide  similar  guar¬ 
antees.  However,  TAL  has  two  important  properties  that  make  it  more  ap¬ 
pealing  in  environments  with  mobile  code.  First,  as  an  assembly  language, 
TAL  can  serve  as  a  target  language  for  a  variety  of  high-level  language  com¬ 
pilers,  including  those  for  both  Java  and  SML.  Agents  that  are  compiled 
to  TAL  need  not  be  tied  to  a  particular  language  environment.  Second,  all 
compilation,  including  low-level  optimizations  like  copy  propagation,  regis¬ 
ter  allocation,  and  instruction  scheduling,  can  be  performed  before  shipping 
agents  to  a  host.  Thus,  unlike  current  Java  implementations,  a  host  need  not 
have  access  to  a  trusted  high-level  language  compiler  or  interpreter  in  order 
to  support  an  agent.  Furthermore,  there  is  no  need  to  pay  the  overhead  of 
interpretation  or  compilation  before  invoking  an  agent. 

To  demonstrate  the  expressiveness  of  TAL,  we  showed  how  to  compile 
a  high-level  ML-based  language  to  TAL,  and  we  have  proven  that  such  a 
compiler  “preserves  typing” .  Specifically,  we  established: 
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•  The  compiler  always  produces  well-typed  assembly  language. 

•  Type  abstractions  at  the  source  level  are  preserved  at  the  assembly 
language  level. 

Thus,  for  example,  a  host  might  use  an  ML  abstract  type  to  implement  file 
descriptors,  compile  the  ML  code  to  TAL,  and  the  type  system  of  TAL  will 
ensure  that  no  agent  can  forge  descriptors  as  described  above. 

The  design  principles  behind  our  idealized  typed  assembly  language  were 
used  to  provide  a  concrete  implementation  of  these  ideas.  In  particular, 
we  constructed  a  suite  of  tools  for  automatically  type-checking  annotated 
Intel  x86  assembly  language  (and  object  files).  We  also  constructed  tools 
to  verify  that  object  files  match  specified  interfaces  and,  therefore,  may  be 
safely  linked  to  form  a  well- typed  executable  program. 

To  evaluate  the  claims  that  a  typed  assembly  language  provides  both  lan¬ 
guage  independence  and  support  for  highly-optimized  code,  we  constructed 
a  set  of  prototype  compilers  that  map  high-level  language  programs  to  type- 
correct  assembly  code.  Specifically,  we  constructed  prototype  Scheme  and 
Safe-C  compilers  that  generate  type-correct  Intel  x86  code.  In  addition, 
we  built  a  number  of  language-independent  optimizations  such  as  graph¬ 
coloring  register  allocation,  in  order  to  identify  shortcomings  in  the  type 
system  that  prevent  optimization  and  to  compare  our  approach  quantita¬ 
tively  to  others. 

Progress  was  also  made  in  the  design  of  the  type  system  that  could  ex¬ 
press  additional  security  properties  as  typing  assertions.  For  instance,  we 
studied  typing  mechanisms  to  support  a  purely  static  form  of  capability  en¬ 
forcement  Like  traditional  capability-based  systems,  our  type  system  allows 
agents  to  access  objects  only  if  they  have  a  capability  to  do  so.  Capabilities 
may  be  granted  by  the  host  and  are  unforgeable  by  agents.  However,  unlike 
traditional  capability  systems,  agents  need  not  carry  and  present  capabilities 
at  run-time.  Rather,  as  with  types,  capabilities  are  a  purely  static  concept 
and  hence  incur  no  dynamic  overhead. 

The  drawback  of  this  approach  is  that  capabilities  cannot  always  be 
revoked  by  the  host.  Instead,  the  host  and  the  agent  must  agree  to  re¬ 
voke  a  capability.  Nevertheless,  we  found  compelling  applications  for  such 
a  mechanism,  including  static  verification  of  memory  management  (garbage 
collection)  and  concurrency  control. 
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